Add rule that checks for using the insecure ECB block mode for encryption

2026-04-28 02:05:14 +02:00 · 2022-09-22 15:06:05 +02:00
parent 5e189b8c75
commit 72ba77d900
4 changed files with 88 additions and 2 deletions
--- a/swift/ql/src/queries/Security/ECB-Encryption/ECBEncryption.qhelp
+++ b/swift/ql/src/queries/Security/ECB-Encryption/ECBEncryption.qhelp
@@ -3,7 +3,7 @@
  "qhelp.dtd">
 <qhelp>
  <overview>
-    <p>ECB should not be used as a mode for encryption as it has dangerous weaknesses. Data is encrypted the same way every time, which means that the same plaintext input will always produce the same ciphertext. This behavior makes messages encrypted with ECB 
+    <p>ECB should not be used as a mode for encryption as it has dangerous weaknesses. Data is encrypted the same way every time, which means that the same plaintext input will always produce the same ciphertext. This behavior makes messages encrypted with ECB
 more vulnerable to replay attacks.</p>
  </overview>

--- a/swift/ql/test/query-tests/Security/ECB-Encryption/ECBEncryption.expected
+++ b/swift/ql/test/query-tests/Security/ECB-Encryption/ECBEncryption.expected
@@ -27,4 +27,4 @@ subpaths
 | test.swift:55:37:55:53 | call to getECBBlockMode() | test.swift:34:9:34:13 | call to init() :  | test.swift:55:37:55:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:34:9:34:13 | call to init() :  | call to init() |
 | test.swift:65:42:65:42 | ecb | test.swift:45:12:45:16 | call to init() :  | test.swift:65:42:65:42 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:45:12:45:16 | call to init() :  | call to init() |
 | test.swift:66:42:66:46 | call to init() | test.swift:66:42:66:46 | call to init() | test.swift:66:42:66:46 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@. | test.swift:66:42:66:46 | call to init() | call to init() |
-| test.swift:67:42:67:58 | call to getECBBlockMode() | test.swift:34:9:34:13 | call to init() :  | test.swift:67:42:67:58 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:34:9:34:13 | call to init() :  | call to init() |
+| test.swift:67:42:67:58 | call to getECBBlockMode() | test.swift:34:9:34:13 | call to init() :  | test.swift:67:42:67:58 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:34:9:34:13 | call to init() :  | call to init() |
--- a/swift/ql/test/query-tests/Security/ECB-Encryption/testAES.swift
+++ b/swift/ql/test/query-tests/Security/ECB-Encryption/testAES.swift
@@ -0,0 +1,45 @@
+
+// --- stubs ---
+
+// These stubs roughly follows the same structure as classes from CryptoSwift
+class AES
+{
+	init(key: Array<UInt8>, blockMode: BlockMode, padding: Padding) { }
+	init(key: Array<UInt8>, blockMode: BlockMode) { }
+}
+
+protocol BlockMode { }
+
+struct ECB: BlockMode { 
+	init() { }
+}
+
+struct CBC: BlockMode { 
+	init() { }
+}
+
+protocol PaddingProtocol { }
+
+enum Padding: PaddingProtocol {
+  case noPadding, zeroPadding, pkcs7, pkcs5, eme_pkcs1v15, emsa_pkcs1v15, iso78164, iso10126
+}
+
+
+// --- tests ---
+
+func test1() {
+	let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f]
+	let ecb = ECB()
+	let cbc = CBC()
+	let padding = Padding.noPadding
+
+	let b1 = AES(key: key, blockMode: ecb, padding: padding) // BAD
+	let b2 = AES(key: key, blockMode: ecb) // BAD
+	let b3 = AES(key: key, blockMode: ECB(), padding: padding) // BAD
+	let b4 = AES(key: key, blockMode: ECB()) // BAD
+
+	let g1 = AES(key: key, blockMode: cbc, padding: padding) // GOOD
+	let g2 = AES(key: key, blockMode: cbc) // GOOD
+	let g3 = AES(key: key, blockMode: CBC(), padding: padding) // GOOD
+	let g4 = AES(key: key, blockMode: CBC()) // GOOD
+}
--- a/swift/ql/test/query-tests/Security/ECB-Encryption/testBlowfish.swift
+++ b/swift/ql/test/query-tests/Security/ECB-Encryption/testBlowfish.swift
@@ -0,0 +1,41 @@
+
+// --- stubs ---
+
+// These stubs roughly follows the same structure as classes from CryptoSwift
+class Blowfish
+{
+	init(key: Array<UInt8>, blockMode: BlockMode, padding: Padding) { }
+	init(key: Array<UInt8>, blockMode: BlockMode) { }
+}
+
+protocol BlockMode { }
+
+struct ECB: BlockMode { 
+	init() { }
+}
+
+struct CBC: BlockMode { 
+	init() { }
+}
+
+protocol PaddingProtocol { }
+
+enum Padding: PaddingProtocol {
+  case noPadding, zeroPadding, pkcs7, pkcs5, eme_pkcs1v15, emsa_pkcs1v15, iso78164, iso10126
+}
+
+
+// --- tests ---
+
+func test1() {
+	let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f]
+	let ecb = ECB()
+	let cbc = CBC()
+	let padding = Padding.noPadding
+
+	let b1 = Blowfish(key: key, blockMode: ecb, padding: padding) // BAD
+	let b2 = Blowfish(key: key, blockMode: ECB(), padding: padding) // BAD
+
+	let g1 = Blowfish(key: key, blockMode: cbc, padding: padding) // GOOD
+	let g2 = Blowfish(key: key, blockMode: CBC(), padding: padding) // GOOD
+}